Scraping the bottom of the IPv4 barrel for new addresses

Some of the last remaining blocks of IPv4 addresses turn out to attract …

As the remaining pool of IPv4 addresses dwindles (only 623 million are left!), it turns out that the remaining address space isn't exactly beachfront property. The Internet Assigned Numbers Authority (IANA) currently has 16 blocks of 16.8 million IPv4 addresses left—out of a total of 221 usable such blocks. In January, IANA gave the 1.0.0.0/8 block (all IP addresses starting with "1") to APNIC, the Asia-Pacific Network Information Centre in Brisbane, Australia, which distributes IP addresses in Asia (excluding the former USSR) and Oceania. It turns out that this block is attracting no less than 150Mbps worth of assorted traffic before getting put into use.

In a talk at the North American Network Operators Group's 49th meeting in San Francisco earlier this week, research into the seedy back alleys of "1slash8" was presented by six researchers from Merit, APNIC, and the University of Michigan. Merit, a nonprofit that runs the networks linking public universities in Michigan, "announced" the whole 1.0.0.0 block (packets aimed at addresses in this range from all corners of the Internet were forwarded to Merit) during the last week of February. This amounted to 130-150Mbps worth of traffic. For comparison, Merit also announced the 35.0.0.0/8 block, which only attracted 15-25Mbps of traffic. Also, the vast majority of the block 1 traffic was UDP, while most of the block 35 traffic was TCP.

What does this mean? After analyzing the data, it turned out that both blocks roughly attracted the same amount of scanning and backscatter traffic. Backscatter is when someone sends a packet with a fake source address. If the receiver of the packet then replies, the reply goes to the legitimate holder of the faked source address, not the sender or the original packet.

In the 35 block, only 24 percent of the traffic was due to misconfiguration, while in the 1 block this was as much as 80 percent. And most of that misconfigured traffic went to the lower addresses in the 1 block. 1.1.1.1, port 15206 took the cake at 34.5 percent of all packets. It turns out that this traffic is mostly audio data, apparently sent by misconfigured VoIP systems. In the 35 block, this type of traffic was virtually absent. Other types of traffic directed at the top 10 addresses in the 1 block can also be attributed to different types of misconfiguration.

Although the scale is surprising, the problem itself isn't new. For instance, in 2003, buggy NetGear home gateways effectively performed a distributed denial of service attack on a University of Wisconsin NTP time server, collectively sending as many as a quarter-million packets per second. Unfortunately, the IP protocol doesn't provide a mechanism for a destination to make a source stop sending unwanted packets.

In the case of 1.0.0.0/8, APNIC has decided to quarantine five blocks of 256 addresses from the 1 block until such time that the excess traffic subsides. However, there are more hotspots in known and unknown places throughout the address space, and the researchers note that the usual practice of returning an affected block and asking for a new one may not be feasible in the long term. There is no mention of IPv6, but at least there the address space is so large and it will be so sparsely populated for years to come that trading in tainted addresses for pristine ones shouldn't be a problem.

Iljitsch van Beijnum / Iljitsch is a contributing writer at Ars Technica, where he contributes articles about network protocols as well as Apple topics. He is currently finishing his Ph.D work at the telematics department at Universidad Carlos III de Madrid (UC3M) in Spain.